Method and vehicle-to-X communication system for selectively checking data security sequences of received vehicle-to-X messages

ABSTRACT

A method for selectively checking data security sequences of received vehicle-to-X messages, in which a number of the vehicle-to-X messages are received and/or sent in an operating cycle of a vehicle-to-X communication system. In an operating cycle, a reliability assessment of the received vehicle-to-X message is performed by checking the data security sequence, an information content of the received messages is read without prior checking of the data security sequence. In the operating cycle, a subset of the number of received vehicle-to-X messages is selected on the basis of the information contents, and solely the data security sequences of selected vehicle-to-X messages are checked. This results in the advantage that a reliability assessment is no longer carried out on all the received vehicle-to-X messages before they are processed, thereby enabling a reduction in the checking capacity that must be reserved for checking the data security sequence.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority to German Patent Application Nos. 102011 006 305.6, filed Mar. 29, 2011, 10 2012 204 880.4, filed Mar. 27,2012, and PCT/EP2012/055523, filed Mar. 28, 2012.

FIELD OF THE INVENTION

The invention relates to a method for selectively checking data securitysequences of received vehicle-to-X messages, a system for selectivelychecking data security sequences of received vehicle-to-X messages, andthe use thereof.

BACKGROUND

Vehicle-to-X communication systems which are suitable for informationtransmission both between different vehicles (vehicle-to-vehiclecommunication) and between vehicles and infrastructure facilities(vehicle-to-infrastructure communication) are already known in the priorart. Both variants are usually grouped under the generic term“vehicle-to-X communication”. The transmitted vehicle-to-X data may beof a safety-critical nature and cause an autonomous intervention by avehicle system in the vehicle control system. Accordingly, strictdemands for data security and reliability are placed at least on thesafety-critical vehicle-to-X data in order to protect a recipient frommaliciously manipulated data and hence from control interventions basedon false information.

DE 10 2010 038 640 A1 describes in this connection a device and a methodfor vehicle-to-X communication. The disclosed method is based on acombination of communication technologies, each of which is differentand has different properties. A first communication channel can beimplemented e.g. as a mobile communication channel, whereas a secondcommunication channel is implemented as a WLAN channel. Which type ofinformation is sent over which communication channel is determined bysender-based sorting of the information to be sent. According to DE 102010 038 640 A1, periodically occurring or static information istransmitted over the first channel, whereas safety-relevant informationis transmitted over the second channel.

DE 10 2011 004 505 A1 discloses a method for secure vehicle-to-Xcommunication. The reliability of a vehicle-to-X message is in this casechecked, for example, by measuring the position and/or speed of thesender and by subsequently comparing the measured information with theinformation contained in the vehicle-to-X message. If a difference isidentified, the received vehicle-to-X message is classified asunreliable and handled accordingly. By using the method described in DE10 2011 004 505 A1 it is possible to send e.g. the “cooperativeawareness messages” as they are known without a cryptographic datasecurity structure thereby not only making the sent messages up to 80%shorter but also reducing the electronic computing power required forthe data security check.

DE 10 2010 002 092 A1 describes data processing for receivedvehicle-to-X messages, which processing precedes forwarding of themessages to the associated applications and systems in the vehicle andprocessing of same by these applications and systems. Such dataprocessing can comprise checking a security level of the message andadditionally perform a data reduction process. The data reductionprocess causes information about certain objects or situations to besuppressed and hence said information is not forwarded and processed.Thus, for instance, information about objects located too far from thereceiving vehicle or information about objects that are only reached bythe vehicle after a certain period of time is ignored. Likewise, a largenumber of spatially close objects having fundamentally the same responseto a situation are combined e.g. into a traffic jam. It is also possibleto take account solely of objects located in the intended channel ofmovement of the vehicle. The amount of data to be processed by theindividual applications can thereby be reduced significantly.

It is probable from current efforts that a PKI-based (Public KeyInfrastructure) data security method will be used for the large-scaleintroduction of vehicle-to-X communication systems, which method drawson what are known as elliptic curves as cryptographic algorithms.Although such a security method has the advantage that only relativelyshort digital key sequences are needed, it has the disadvantage that arelatively large amount of computing power must be expended on checkingthe key sequences. Since the vehicle-to-X communication methods knownfrom the prior art additionally perform a check of a data securitystructure only according to permanently defined schemes, this inflexiblemanner of processing means that, taking into account the very highlatency requirements for managing reliably under all circumstances apotentially arising computational load, dedicated processing units areessential, which in turn are associated with relatively highmanufacturing costs.

Therefore the object of the present invention is to reduce thecomputational load for checking the data security sequences that arisesin connection with receiving a multiplicity of vehicle-to-X messageswhile simultaneously guaranteeing a high data security standard.

INTRODUCTORY DESCRIPTION OF THE INVENTION

This object is achieved according to the invention by the method forselectively checking data security sequences of received vehicle-to-Xmessages.

According to the method according to the present invention forselectively checking data security sequences of received vehicle-to-Xmessages, a number of vehicle-to-X messages are received and/or sent inan operating cycle of a vehicle-to-X communication system, wherein avehicle-to-X message comprises a data security sequence. In addition inthe operating cycle, a reliability assessment of the receivedvehicle-to-X message is performed by checking the data securitysequence, and in the operating cycle, an information content of thereceived vehicle-to-X messages is read without prior checking of thedata security sequence. The method is characterized in that in theoperating cycle, a subset of the number of received vehicle-to-Xmessages is selected on the basis of the information contents, andsolely the data security sequences of selected vehicle-to-X messages arechecked. This results in the advantage that a reliability assessment isno longer carried out on all the received vehicle-to-X messages beforethey are processed, thereby enabling a reduction in the checkingcapacity, in other words computing power, that must be reserved forchecking the data security sequence. This results in a reduction in themanufacturing effort and manufacturing costs.

Selecting on the basis of the information content of a receivedvehicle-to-X message means that depending on the information content, itis possible to dispense with a check of the data security sequence. Ifthe information content turns out to be irrelevant to the recipientanyway, there is no need to check the reliability of the associatedvehicle-to-X message and hence of the information content, because thevehicle-to-X message will not be processed anyway. Conversely,vehicle-to-X messages that prove to have an information content that isrelevant to the recipient are normally selected and hence checked in thecurrent operating cycle.

Within the meaning of the invention, an operating cycle comprises themethod steps of sending or receiving vehicle-to-X messages, reading theinformation contents, selecting the vehicle-to-X messages and checkingthe data security sequences (reliability assessment).

The vehicle-to-X messages usually additionally contain a pseudonym,which identifies the sender of the vehicle-to-X message. The pseudonymcan hence be used to assign a plurality of received vehicle-to-Xmessages to a sender.

For reasons of data protection and for the purpose of maintaining theprivacy of the sender, the pseudonym can be changed on a regular orirregular basis.

It is preferably provided that the selection on the basis of theinformation contents takes into account at least one of the followingfactors:

actual speed of the recipient,

relative speed of the recipient with respect to the sender,

activation status of driver assistance systems and/or comfort systems,

distance between the recipient and sender,

estimated time of entry of the sender into a critical zone around therecipient,

estimated time of intersection of the trajectories of motion of thesender and recipient,

estimated time of the recipient colliding with the sender,

orientation of the recipient with respect to the sender,

relative direction of travel of the recipient with respect to thesender, and

road classification,

wherein the critical zone has an adaptable extent and outline, andwherein the road classification is made according to a permitted maximumspeed and/or a lane width and/or separation of lanes and/or a number oflanes and/or a proximity to built-up areas and/or weather conditions.The factors “distance between the recipient and sender” and “relativedirection of travel of the recipient with respect to the sender” forinstance can be jointly taken into account so as to always select thesender that is closest to the recipient in the direction of travel.Taking these factors into account in the selection, or combining thesefactors in the selection, makes it easily possible to distinguishvehicle-to-X messages that may be relevant and hence must be selectedfrom vehicle-to-X messages that are irrelevant to the recipient andaccordingly do not need to be selected.

In addition, it is preferred that the selection on the basis of theinformation contents takes into account a comparison of the informationcontents with information contents of information detected by at leastone surround sensor, wherein the vehicle-to-X messages havinginformation contents which match the information contents of informationdetected by the at least one surround sensor are not selected. Receivedvehicle-to-X messages having information contents which can be confirmedby at least one surround sensor no longer need to be selected forchecking the data security sequence because an alternative reliabilityassessment is also made by the comparison of the information contentswithout this relatively computationally intensive check. If theinformation contents match, it can be assumed that the vehicle-to-Xmessage is reliable.

In a further preferred embodiment of the invention, it is provided thatthe selection on the basis of the information contents takes intoaccount an intervention in the vehicle control system that will beactuated by a processing of the vehicle-to-X message, wherein thevehicle-to-X message that causes an intervention in the vehicle controlsystem on being processed is always selected. This results in theadvantage that the reliability is always assessed before processingvehicle-to-X messages, the processing of which causes an intervention inthe vehicle control system and which are therefore highly safetycritical. If the vehicle-to-X message is assessed as unreliable on thebasis of the check of the data security sequence, processing of themessage is prevented and consequently a possibly dangerous interventionin the vehicle control system based on unreliable information.

Furthermore it is advantageous that the selection on the basis of theinformation contents takes into account a driver warning that will beactuated by a processing of the vehicle-to-X message, wherein thevehicle-to-X message that causes a warning on being processed is alwaysselected. Since a warning can actuate an action by the driver and henceby the vehicle, by selecting the vehicle-to-X message, if applicable anunnecessary warning is suppressed. At the same time, the driver is notunsettled by an incorrect or unnecessary warning.

The method according to the invention is preferably characterized inthat the data security sequences are generated and allocated by a methodbased on an infrastructure for generating and allocating public keys,wherein the data security sequences are encrypted in particular by anelliptic curve algorithm. An infrastructure of this type for allocatingand generating public keys is also known as a “public keyinfrastructure”. A method based on a public key infrastructure forgenerating and allocating the data security sequences has the advantagethat a central control station is present, which can withdraw a validdata security sequence from a sender that is demonstrably sendingincorrect information deliberately. In addition, new data securitysequences can be allocated regularly via the central station in order toreduce the risk that a data security sequence already in use for arelatively long time has been tampered with during this time and is nowbeing misused to allocate deliberate misinformation. It is also easilypossible to allocate to the individual communication users via thecentral station pseudonyms that change at regular or irregular intervalsin order to guarantee the privacy of said users and to improve dataprotection. Using a cryptographic algorithm based on elliptic curvesalso has the advantage that the data security sequence to be sent has arelatively low data volume and hence only occupies a relatively smallbandwidth of the transmission channel.

It is preferably provided that in the operating cycle, a selectioncorrection that follows the selection and precedes the check is carriedout if the subset of the vehicle-to-X messages selected on the basis ofthe information contents is greater than or less than the availablechecking capacity, wherein the selection correction fully utilizes anavailable checking capacity of the vehicle-to-X communication system.This results in the advantage that no checking capacity remains unusedin the current operating cycle. If the selected subset does not fullyutilize the available checking capacity, the statistical selectionmethod can be a purely random, additional selection from the totalnumber of vehicle-to-X messages that have not yet been selected in thecurrent operating cycle. The subset corrected by the selectioncorrection and selected for checking equals in this case the maximumnumber of vehicle-to-X messages or data security sequences that can bechecked using the available checking capacity. In order to check asubset of data security sequences that fully utilizes the availablechecking capacity, the relevance of the individual information contentscan be graduated extremely finely for the selection correction. Forexample, if there is sufficient checking capacity also available in thecurrent operating cycle to check those vehicle-to-X messages that werenot initially selected, these vehicle-to-X messages can also be selectedby means of the selection correction. Conversely, if the selected subsetexceeds the available checking capacity, this subset can be reduced bymeans of the selection correction by the selection correction confirmingfrom the total number of vehicle-to-X messages already selected in thecurrent operating cycle only a certain portion that corresponds to theavailable checking capacity. If a selection correction is carried out,this method step is added to the operating cycle.

For the case that in total fewer vehicle-to-X messages are received thanit would be possible to check using the available checking capacity,this is an exception in which the available checking capacity is notutilized in full.

The available checking capacity is obtained from a computing powerinstalled in the receiving vehicle-to-X communication system andearmarked for checking the data security sequence.

Particularly preferably, the selection correction based on a statisticalselection method takes into account at least one of the followingfactors:

reception of more than one vehicle-to-X message from a specific senderin the same operating cycle,

result of the reliability assessment of at least one vehicle-to-Xmessage from the specific sender in at least one previous operatingcycle,

wherein on receiving more than one vehicle-to-X message from thespecific sender, not all the vehicle-to-X messages from the specificsender are selected in the operating cycle, and wherein, depending onthe result of the reliability assessment of at least one vehicle-to-Xmessage from the specific sender in at least one previous operatingcycle, a vehicle-to-X message received in the operating cycle from thespecific sender is not selected. Hence the subset of vehicle-to-Xmessages to be checked is restricted by the selection correction in thatonly those vehicle-to-X messages can be selected that have not been sentby a sender from which the vehicle-to-X messages have already beenchecked previously. This in turn results in the advantage thatpreferably those vehicle-to-X messages are selected that have acomparatively higher probability of being unreliable, whereasconversely, those vehicle-to-X messages that have a comparatively highprobability of being reliable are not selected. Taking into account thereliability assessments of vehicle-to-X messages received in a previousoperating cycle from a specific sender can be restricted, for exampledepending on the situation, to two to ten previous operating cycles.Vehicle-to-X messages from the specific sender from which data securitysequences of vehicle-to-X messages received in a previous operatingcycle have already been selected and checked in one of the two to tenprevious operating cycles, depending on the situation, are then notchecked in the current operating cycle. It is equally possible to selectonly a single vehicle-to-X message from a number of vehicle-to-Xmessages received in the same operating cycle from a specific sender. Ifthis single selected vehicle-to-X message has been checked and assessedas reliable, it can be assumed with a high level of probability that thevehicle-to-X messages received in the same operating cycle from thespecific sender are likewise reliable. The checking effort can therebybe reduced further.

Furthermore it is preferred that the received vehicle-to-X messages areforwarded to at least one driver assistance system and processed bysame, wherein the at least one driver assistance system is designed towarn a driver and/or to intervene in the vehicle control system and/orto override a driver instruction. This results in the advantage that thereceived vehicle-to-X messages can be used to avert danger situationsand, if applicable, can even be used for immediate and autonomousaccident prevention without involvement of the driver or countermandinga control input of the driver. The warning can be visual, acousticand/or haptic, wherein for the visual warning an indicator in thedashboard, the rearview mirror, on the steering wheel or in theinstrument panel is particularly suitable. The acoustic warning can beoutput e.g. via the in-vehicle loudspeaker of a car radio, and thehaptic warning can be output in the form of vibrations, for instance viathe steering wheel or the gas pedal.

The method according to the invention is also readily suitable forintegrating additional selection steps of a similar selection method, sothat the method according to the invention can be combined with similarmethods or at least with a method aimed at a similar purpose.

In addition, the invention relates to a vehicle-to-X communicationsystem for selectively checking data security sequences of receivedvehicle-to-X messages, which system includes a sending module and areceiving module, a checking module and a readout module. The sendingmodule sends vehicle-to-X messages, and the receiving module receivesvehicle-to-X messages, wherein in one operating cycle of thevehicle-to-X communication system, a number of vehicle-to-X messages aresent and/or received and/or read and/or checked, and wherein thevehicle-to-X messages each comprise a data security sequence. In theoperating cycle, the readout module reads information contents of thereceived vehicle-to-X messages without prior checking of the datasecurity sequence, and the checking module performs in the operatingcycle a reliability assessment of the received vehicle-to-X messages bychecking the one data security sequence in each message. Thevehicle-to-X communication system is characterized in that a selectionmodule is additionally provided, which in the operating cycle selects onthe basis of the information contents a subset of the number of receivedvehicle-to-X messages. The system according to the invention henceincludes all necessary means for implementing the method according tothe invention and enables in a simple manner a reduction in the datasecurity sequences to be checked of received vehicle-to-X messages. Thisresults in the advantages already described.

The system is preferably characterized in that the sending module and/orthe receiving module and/or the readout module and/or the selectionmodule includes a shared chipset and in particular a shared processingunit. This results in the advantage that each of the modules does notneed to be fitted with a dedicated processor or provided with adedicated chipset, which both simplifies the manufacturing process andreduces the production costs. The shared access of different modules tothe same chipset or the same processor also results in an efficient andfast data link between the modules.

It is preferably provided that the processing unit of the sending moduleand/or the receiving module and/or the readout module and/or theselection module is assigned to any one driver assistance system orvehicle control unit. The manufacturing process of the system accordingto the invention and the production costs can thereby be reducedfurther. For example, the processing unit of a control unit intended forthe electronic stability control of the vehicle can be used by thereadout module as long as no stability control intervention is beingcarried out. It is equally possible to use a processing unit of anairbag control unit e.g. for the selection module, as long as the airbagdoes not need to be released. Since such control units normally largelyremain unused or underused while the vehicle is running, the therebyavailable, unused computing power can usefully be made available duringthis period to individual modules or a plurality of modules of thesystem according to the invention.

The system is preferably characterized in that the checking moduleincludes a processing unit having a dedicated design for checkingcryptographic algorithms based on elliptic curves. Since a cryptographicalgorithm based on elliptic curves enables the advantage of a relativelysmall volume of data combined with relatively high data security, theuse of the algorithm results in the advantages already described ofreduced bandwidth occupancy of the transmission channel. On the otherhand, the data processing of a cryptographic algorithm based on ellipticcurves uses a relatively large amount of computing power, so that usinga processing unit with a dedicated design makes it possible to achieve afaster reliability assessment.

It is preferably provided that the sending module and/or the receivingmodule is designed to send and/or receive the vehicle-to-X messages bymeans of at least one of the following connection types:

WLAN connection, in particular in compliance with IEEE 802.11,

ISM connection (Industrial, Scientific, Medical Band),

Bluetooth® connection,

ZigBee connection,

UWB connection (Ultra Wide Band),

WiMax® connection (Worldwide Interoperability for Microwave Access),infrared connection, and

mobile communication connection.

These connection types offer various advantages here depending on theform, wavelength and data protocol used. Thus some of said connectiontypes enable e.g. a relatively high data transmission rate and allow aconnection to be established relatively quickly, whereas others are byfar the best suited to data transmission around line-of-sightobstructions. The combination of a plurality of these connection typesand the simultaneous or parallel use thereof result in furtheradvantages because this can then compensate for disadvantages ofindividual connection types.

Furthermore, it is preferred that the vehicle-to-X communication systemimplements the method according to the invention. The advantagesresulting from the method according to the invention have already beendescribed in detail.

The system according to the invention can be modified or extendedwithout particular difficulties to implement additionally a method thatis similar to, or at least is aimed at a similar purpose to, the methodaccording to the invention. For this purpose it will generally besufficient to increase accordingly the computing power of individualmodules or a plurality of modules.

In addition, the present invention relates to using the vehicle-to-Xcommunication system for selectively checking data security sequences ofreceived vehicle-to-X messages.

BRIEF DESCRIPTION OF THE DRAWINGS

Further preferred embodiments are given in the following descriptions ofexemplary embodiments with reference to figures, in which

FIG. 1 shows a schematic layout of the vehicle-to-X communication systemaccording to the invention,

FIG. 2 shows a flow diagram containing an example sequence for themethod according to the invention, and

FIG. 3 shows a traffic situation in which the method according to theinvention is used.

DETAILED DESCRIPTION

FIG. 1 shows an example layout of vehicle-to-X communication system 101according to the invention. Vehicle-to-X communication system 101comprises sending module 102, receiving module 103, readout module 104,selection module 105 and checking module 106. Sending module 102,receiving module 103, readout module 104 and selection module 105 areconnected to shared processing unit 108 via data connections 107.Checking module 106 itself includes processing unit 109 which has adedicated design for checking cryptographic algorithms based on ellipticcurves. Since a large amount of computing power must be expended onprocessing such algorithms, using dedicated hardware provides advantagesof data processing efficiency in this case.

Vehicle-to-X messages are sent by sending module 102, and vehicle-to-Xmessages are received by receiving module 103. The vehicle-to-X messagesare items of information about the vehicle status and items ofinformation about the vehicle surroundings detected by surround sensors.Each vehicle-to-X message includes a data security sequence, andchecking module 106 uses a check of the sequence to perform areliability assessment of the vehicle-to-X message. Before checkingmodule 106 checks a data security sequence, however, readout module 104reads the information content of the associated vehicle-to-X message.Selection module 105 selects on the basis of the read informationcontent a subset of the number of vehicle-to-X messages received in thecurrent operating cycle. Since, for example, the selected subset ofvehicle-to-X messages is not sufficient to utilize in full the availablechecking capacity, selection module 105 performs a selection correction,which is used for selecting further vehicle-to-X messages. The availablechecking capacity can thereby be utilized in full and no checkingcapacity is left unused. Checking module 106 then performs a reliabilityassessment on the finally selected vehicle-to-X messages by checking theincluded data security sequence. Vehicle-to-X communication system 101is additionally coupled to driver assistance systems 111, 112 and 113via data connections 110. Driver assistance system 111 is a warningfacility for visual, haptic, and acoustic warning of the driver; driverassistance system 112 is a steering assistant, which can assist thedriver by applying a steering moment to the steering wheel. In addition,steering assistant 112 can perform an autonomous steering interventionand override the driver. Driver assistance system 113 is a brakingassistant, which can independently increase a braking moment entered bythe driver, and furthermore is designed also to execute autonomous fulland partial braking. Depending on the information contents of thereceived vehicle-to-X messages or on the reliability assessmentsthereof, received vehicle-to-X messages are forwarded to one or more ofdriver assistance systems 111, 112 and 113 and processed by same, or arenot forwarded and discarded.

FIG. 2 shows a flow diagram containing an example sequence for themethod according to the invention. All the method steps shown form intotal a single operating cycle here. In method step 21, a number ofvehicle-to-X messages are received, and in simultaneously executed step22 a number of vehicle-to-X messages are sent. The sent and receivedvehicle-to-X messages each a data security sequence. Normally the numberof received vehicle-to-X messages is greater than the number of sentvehicle-to-X messages because a recipient is surrounded by amultiplicity of senders. In method step 23, the information content ofthe received vehicle-to-X messages is read. In step 24, the vehicle-to-Xmessages are selected on the basis of this information content, whereinsolely the data security sequences of selected vehicle-to-X messages arechecked in the relevant operating cycle. The selection takes intoaccount the following factors:

actual speed of the recipient,

relative speed of the recipient with respect to the sender,

activation status of driver assistance systems and/or comfort systems,

distance between the recipient and sender,

estimated time of entry of the sender into a critical zone around therecipient,

estimated time of intersection of the trajectories of motion of thesender and recipient,

orientation of the recipient with respect to the sender,

relative direction of travel of the recipient with respect to thesender, and

road classification.

The checking of the data security sequences of the selected vehicle-to-Xmessages and hence the reliability assessment of the vehicle-to-Xmessages takes place in method step 25. In step 26, the unselectedvehicle-to-X messages are forwarded to the associated driver assistancesystems without prior reliability assessment, and processed by same. Ifthe result of the reliability assessment in step 25 is that avehicle-to-X message is unreliable, this message is discarded in step27. After checking the data security sequences of the selectedvehicle-to-X messages in step 25, these vehicle-to-X messages are alsoforwarded in step 26 to the associated driver assistance systems, andprocessed by same.

FIG. 3 shows a traffic situation in which the method according to theinvention is used. It shows vehicles 32, 33, 34, 35 and 36 located atcrossroads 31. Vehicle 37 is approaching crossroads 31 from somedistance. The direction of travel of vehicles 32, 33, 34, 35, 36 and 37is indicated by an arrow in each case. According to signage 38, 38′, 38″and 38′″ of crossroads 31, vehicles 32, 33 and 36 entering crossroads 31must give way to vehicle 37.

By way of example, vehicle 33 is equipped with the vehicle-to-Xcommunication system according to the invention. Vehicles 32, 33, 34,35, 36 and 37 send vehicle-to-X messages in the form of “cooperativeawareness” messages, each of which contains a piece of information aboutthe speed, location and orientation of respective vehicles 32, 33, 34,35, 36 and 37. In addition, all sent vehicle-to-X messages comprise adata security sequence, which the recipient can use for a reliabilityassessment of the vehicle-to-X message. Owing to the checking capacityavailable in vehicle 33, for example a maximum of three differentvehicle-to-X messages can be checked per operating cycle of thevehicle-to-X communication system. In practice, the available checkingcapacity will be designed to be far higher, but is restricted to threevehicle-to-X messages per operating cycle in this exemplary embodimentin order to illustrate the invention clearly. Since the informationcontents of the received vehicle-to-X messages are read first beforechecking the data security sequences, a selection based on theinformation contents can be performed subsequently, wherein only thedata security sequences of the selected vehicle-to-X messages arechecked. A decision to check the vehicle-to-X messages of vehicle 32, 34and 37 is made on the basis of the information contents of the receivedvehicle-to-X messages. The vehicle-to-X message from vehicle 32 isselected because this vehicle is driving in front of vehicle 33 andhence constitutes a potential collision partner. The vehicle-to-Xmessage from vehicle 34, on the other hand, is selected because of thespatial proximity to vehicle 33, and the vehicle-to-X message fromvehicle 37 is selected because vehicle 37 is approaching crossroads 31at relatively high speed and has right of way over vehicle 33, wherebyvehicle 37 likewise constitutes a potential collision partner forvehicle 33.

According to a further example shown in FIG. 3, vehicle 32 is likewiseequipped with the vehicle-to-X communication system according to theinvention and additionally with surround sensors in the form of radarsensor and stereo-camera sensor. Vehicle 32 receives cooperativeawareness messages from vehicles 33, 34, 35, 36 and 37. Owing to theavailable checking capacity, however, only the data security sequencesof a maximum of three received vehicle-to-X messages can be checked peroperating cycle. A piece of information about vehicle 33 is detected bythe backward-pointing radar sensor, and a piece of information aboutvehicle 35 is detected by the forward-pointing stereo-camera sensor. Theinformation contents of the information detected by the stereo-camerasensor and the radar sensor are compared with the information contentsof the cooperative awareness messages from vehicles 33 and 35. Since theinformation contents match, the cooperative awareness messages fromvehicles 33 and 35 are not selected but forwarded directly to therelevant driver assistance systems and processed by same. The datasecurity sequences of the cooperative awareness messages from vehicles34, 36 and 37 are then checked.

According to an exemplary embodiment of the invention, which is notshown, a vehicle is equipped with a large number of surround sensors.The information contents of the vehicle-to-X messages from senders thatare spatially close and not hidden by obstructions can hence be comparedwith the information contents of the information detected by thesurround sensors. These vehicle-to-X messages are therefore notselected. Vehicle-to-X messages from objects that are far away orhidden, on the other hand, cannot be detected by the surround sensors. Acomparison with the information contents of the information detected bythe surround sensors is accordingly not possible and these vehicle-to-Xmessages are selected.

In a further exemplary embodiment, which is not shown, a vehicle islikewise equipped with a large number of surround sensors. Most of theinformation contents of the received vehicle-to-X messages from theimmediate surroundings can hence be compared. Since, however, twovehicle-to-X messages each comprise an information content that cannotbe compared with information contents of the information detected by thesurround sensors, these vehicle-to-X messages are selected and checked.The first vehicle-to-X message that cannot be compared is the length ofa traffic-light phase, and the second vehicle-to-X message that cannotbe compared is the number of vehicle occupants of a vehicle in front.

According to a further exemplary embodiment, which is not shown, avehicle receives a number of vehicle-to-X messages, of which one groupdescribes a traffic jam and another group describes a set of roadworks.Since there is insufficient checking capacity available, however, tocheck all these vehicle-to-X messages, random vehicle-to-X messages areselected from both groups by a statistical selection method and checked.The reliability of the unchecked vehicle-to-X messages in the same groupthat likewise describe the traffic jam or set of roadworks is inferredfrom the reliability assessment of the checked vehicle-to-X messages.Since these unchecked messages contain the same information content, itcan be assumed that they are reliable.

According to an exemplary embodiment, which is likewise not shown, avehicle receives a number of vehicle-to-X messages, of which only onemessage is selected on the basis of the information content thereof.Therefore checking capacity is still available for further checks. Inorder to utilize in full the available checking capacity and to leave nochecking capacity unused, further vehicle-to-X messages are selected bythe selection correction from the number of vehicle-to-X messagesreceived in total in the current operating cycle.

In a further exemplary embodiment, which is likewise not shown, avehicle receives a number of vehicle-to-X messages, of which a subset isselected on the basis of the information contents thereof. This subset,however, exceeds the available checking capacity. Therefore a selectioncorrection takes place that takes into account a plurality ofvehicle-to-X messages received in the same operating cycle from aspecific sender, i.e. only one vehicle-to-X message is selected persender and per operating cycle. Since the available checking capacitywould still be insufficient to check all the selected vehicle-to-Xmessages, then the reliability assessments of vehicle-to-X messages fromthe specific sender that were checked in a previous operating cycle aretaken into account to exclude further vehicle-to-X messages from thecheck if these messages were assessed as reliable. The same procedure isfollowed with further senders from which vehicle-to-X messages havealready been checked in one of the three previous operating cycles. Theselected subset is thereby reduced to such an extent that it correspondsto the available checking capacity and is neither greater than nor lessthan this capacity.

While the above description constitutes the preferred embodiment of thepresent invention, it will be appreciated that the invention issusceptible to modification, variation, and change without departingfrom the proper scope and fair meaning of the accompanying claims.

The invention claimed is:
 1. A method for selectively checking datasecurity sequences of received vehicle-to-X messages, the vehicle-to-Xmessages being messages containing information that is sent to a vehiclefrom another road user or an infrastructure facility, the methodcomprising the steps of: receiving or sending a number of thevehicle-to-X messages in an operating cycle of a vehicle-to-Xcommunication system, wherein at least one of the vehicle-to-X messagescomprises a data security sequence, checking the data security sequenceduring the operating cycle by performing a reliability assessment of theat least one of the vehicle-to-X messages received, reading during theoperating cycle an information content of the received vehicle-to-Xmessage without prior checking of the data security sequence, selectingduring the operating cycle a subset of a number of the receivedvehicle-to-X messages on the basis of the information contents,correcting during the operating cycle the selection of the subset of thenumber of vehicle-to-X messages selected on the basis of the informationcontent is greater than or less than the available checking capacity,checking solely the data security sequences of selected vehicle-to-Xmessages; and wherein the selection on the basis of the informationcontents takes into account at least two of the following factors: anactual speed of a recipient, a relative speed of the recipient withrespect to a sender, an activation status of a driver assistance systemor a comfort system, a distance between the recipient and sender, anestimated time of entry of the sender into a critical zone around therecipient wherein the critical zone has an adaptable extent and outline,an estimated time of intersection of the trajectories of motion of thesender and the recipient, an estimated time of the recipient collidingwith the sender, an orientation of the recipient with respect to thesender, a time stamp of a vehicle to X message, a relative direction oftravel of the recipient with respect to the sender, and a roadclassification is made according to one or more of a permitted maximumspeed, a lane width, a separation of lanes, a number of lanes, aproximity to built-up areas, and weather conditions.
 2. The method asclaimed in claim 1 further comprising in that the selection on the basisof the information contents takes into account a comparison of theinformation contents with information content of information detected byat least one surround sensor, wherein a vehicle-to-X message of themessages having information contents which match the informationcontents of information detected by the at least one surround sensor arenot selected.
 3. The method as claimed in claim 1 further comprising inthat the selection on the basis of the information content takes intoaccount an intervention in a vehicle control system that will beactuated by a processing of the vehicle-to-X messages, wherein thevehicle-to-X messages that causes an intervention in the vehicle controlsystem on being processed is always selected.
 4. The method as claimedin claim 1 further comprising in that the selection on the basis of theinformation contents takes into account a driver warning that will beactuated by a processing of the vehicle-to-X messages, wherein thevehicle-to-X messages that causes a warning on being processed is alwaysselected.
 5. The method as claimed in claim 1 further comprising in thatthe data security sequences are generated and allocated based on aninfrastructure for generating and allocating public keys, wherein thedata security sequences are encrypted by an elliptic curve algorithm. 6.The method as claimed in claim 1, wherein the selection correction fullyutilizes an available checking capacity of the vehicle-to-Xcommunication system.
 7. The method as claimed in claim 6, furthercomprising in that the selection correction based on a statisticalselection method takes into account at least one of the followingfactors: a reception of more than one of the vehicle-to-X messages froma specific sender in the same operating cycle, a result of thereliability assessment of at least one of the vehicle-to-X messages fromthe specific sender in at least one previous operating cycle, wherein onreceiving more than one of the vehicle-to-X messages from the specificsender, not all of the vehicle-to-X messages from the specific senderare selected in the operating cycle, and wherein, depending on theresult of the reliability assessment of at least one of the vehicle-to-Xmessages from the specific sender in at least one previous operatingcycle, at least one of the vehicle-to-X messages received in theoperating cycle from the specific sender is not selected.
 8. The methodas claimed in claim 1 further comprising in that the receivedvehicle-to-X messages are forwarded to at least one driver assistancesystem and processed, wherein the at least one driver assistance systemis designed to at least one of warn a driver, intervene in the vehiclecontrol system, and to override a driver instruction.
 9. A vehicle-to-Xcommunication system for selectively checking data security sequences ofreceived vehicle-to-X messages, the vehicle-to-X messages being messagescontaining information that is sent to a vehicle from another road useror an infrastructure facility, comprising, a sending module configuredto send the vehicle-to-X messages, wherein the vehicle-to-X messageseach form a data security sequence, a receiving module configured toreceive the vehicle-to-X messages, a readout module configured to readinformation contents of the received vehicle-to-X messages without priorchecking of the data security sequence during an operating cycle, and achecking module configured to check during the operating cycle areliability assessment of the received vehicle-to-X messages by checkingthe one data security sequence in each of the messages, a selectionmodule configured to select during the operating cycle a subset of thenumber of the received vehicle-to-X messages on the basis of theinformation contents, a selection correction module configured tocorrect during the operating cycle the selection of the subset of thenumber of vehicle-to-X messages selected on the basis of the informationcontent is greater than or less than the available checking capacity,the checking module configured to check solely the data securitysequences of selected vehicle-to-X messages, and wherein the selectionmodule on the basis of the information contents is configured to takeinto account at least two of the following factors: an actual speed of arecipient, a relative speed of the recipient with respect to a sender,an activation status of a driver assistance r system or a comfortsystem, a distance between the recipient and sender, an estimated timeof entry of the sender into a critical zone around the recipient whereinthe critical zone has an adaptable extent and outline, an estimated timeof intersection of the trajectories of motion of the sender and therecipient, an estimated time of the recipient colliding with the sender,a time stamp of a vehicle to X message, an orientation of the recipientwith respect to the sender, a relative direction of travel of therecipient with respect to the sender, and a road classification is madeaccording to one or more of a permitted maximum speed, a lane width, aseparation of lanes, a number of lanes, a proximity to built-up areas,and weather conditions.
 10. The system as claimed in claim 9, furthercomprising in that at least one of the sending module, the receivingmodule, the readout module, and the selection module comprise a sharedchipset forming a shared processing unit.
 11. The system as claimed inclaim 9 further comprising in that at least one of the processing unitof the sending module, the receiving module, the readout module, and theselection module is assigned to a driver assistance system or a vehiclecontrol unit.
 12. The system as claimed in claim 9 further comprising inthat the checking module comprises a processing unit having a dedicateddesign configured for checking cryptographic algorithms based onelliptic curves.
 13. The system as claimed in claim 9 further comprisingin that at least one of the sending module, and the receiving module isdesigned to send or receive the vehicle-to-X messages by means of atleast one of the following connection types: a WLAN connection, ISMconnection, a Bluetooth® connection, a ZigBee connection, a UWBconnection, a WiMax® connection, an infrared connection, and a mobilecommunication connection.
 14. The system as claimed in claim 9incorporated into a motor vehicle.